Authentication
Every API request requires two headers: an API key for authentication and a tenant ID for authorization.
Required headers
| Header | Description | Example |
|---|---|---|
Authorization | Bearer token with your API key | Bearer live_sk_abc123... |
X-Tenant-ID | UUID identifying your tenant account | 550e8400-e29b-41d4-a716-446655440000 |
curl https://api.korastratum.com/islamic-banking/api/v1/murabaha/contracts \
-H "Authorization: Bearer live_sk_abc123..." \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"
API key formats
Kora Islamic Banking uses key prefixes to determine the environment automatically:
| Prefix | Environment | Use case |
|---|---|---|
live_ | Production | Real Shariah-compliant financing and deposit operations |
test_ | Sandbox | Development and testing — no real processing |
Never expose production API keys in client-side code. API keys should only be used server-side.
Environments
| Environment | Base URL |
|---|---|
| Production | https://api.korastratum.com/islamic-banking/api/v1 |
| Sandbox | https://sandbox.korastratum.com/islamic-banking/api/v1 |
The API automatically routes requests to the correct environment based on your API key prefix. You don't need to change the base URL — a test_ key always hits sandbox, and a live_ key always hits production.
Rate limit headers
Every response includes rate limit information:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per minute |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the rate limit resets |
When you exceed your rate limit, you'll receive a 429 Too Many Requests response.
Tenant ID
Your tenant ID is a UUID assigned when your account is created. Find it in your dashboard settings. The tenant ID scopes all resources (contracts, accounts, pools, zakat records) to your account.